rc/servers
4
0
Fork 2
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
servers/roles/proxmox/README.md

3.3 KiB
Raw Blame History

Provision a Proxmox server with L3 networking and EVPN for VM networks.

Configuration

The NetBox device and interfaces should define at least the following properties:

{
    "asn": { "asn": 65000 },
    "cluster": "pve",
    "cluster_type": "proxmox",
    "name": "pve-2",
    "interfaces": [
        {
            "comment": "Link to fabric for BGP."
            "name": "lan0",
            "mac_address": "AA:BB:CC:DD:FF:00",
        },
        {
            "comment": "Link to fabric for BGP."
            "name": "lan1",
            "mac_address": "AA:BB:CC:DD:FF:01",
        },
        {
            "comment": "Addresses on this interface are announced via BGP to fabric."
            "name": "lo",
            "type": { "value": "virtual" },
            "ip_addresses": [
                {
                    "address": "10.0.0.102/32",
                    "dns_name": "pve-2.example.net",
                    "role": { "value": "loopback" },
                },
                {
                    "address": "1000::102/128",
                    "dns_name": "pve-2.example.net",
                    "role": { "value": "loopback" },
                }
            ],
        },
        {
            "comment": "A separate SSH instance will run in mgmt VRF."
            "name": "mgmt0",
            "mac_address": "AA:BB:CC:DD:EE:00",
            "vrf": { "name": "mgmt" },
            "ip_addresses": [
                { "address": "10.0.1.102/24", "vrf": { "name": "mgmt" } },
                { "address": "1001::102/64", "vrf": { "name": "mgmt" } }
            ],
        },
    ],
}

EVPN

Each server needs a unique ASN. EVPN routes to individual VMs are announced to fabric via BGP over lan* interfaces. To allow receiving EVPN routes on the connected switch interfaces, the switch config context should define ifaces_evpn:

"ifaces_evpn": ["swp11", "swp12"]

Firewall

Firewall rules are common to the whole cluster and are represented as NetBox services. Services must be attached to a specific device, so a “fake” VM is created to hold all rules for the cluster. Each service should then be added to the services custom field for the cluster. All traffic between cluster nodes is allowed by default.

Certificates

The role configures ACME settings based on the dns_name of the loopback IP address. Certificate has to be ordered manually once after setup.

Ceph

In the config context for device or cluster two additional options may be defined. Specifying

ceph-version: squid

will enable the no-subscription Ceph repository and install the given version.

LDAP

To sync users and groups with LDAP, add the following to the config context:

sync-ldap: realm

This will configure a daily cron job to sync users. The cluster password file should contain ldap_user and ldap_pass keys. The servers are autodiscovered using the domain property from the config context.

Cluster

After setup, join the device into an existing cluster with

ip vrf exec default pvecm add pve-1.example.net --link0 10.0.0.101

where pve-1 is an existing cluster node and --link0 specifies the loopback address of the new device.